Bugtraq mailing list archives

Re: RFP9903: AeDubug vulnerabilty

From: mdixon () TYNDALL COM AU (Mark Dixon)
Date: Sun, 10 Oct 1999 14:36:18 +1000

4) Put a binary on the system

If you can run programs, you can (attempt) to use ftp or rcp to

pull files

in.  I realize this is dependant on outgoing firewall rules,

access to the

commands, etc.  But it's not impossible--these methods have been

used by

many people contacting me on the RDS issue.

UNC paths work here. If you can setup your own share with guest

access I

believe you can run whatever you like from it.

UNC paths may not work in this instance.  Not all paths contained in

the

registry can be remote.  I'd have to test this to be sure, and also

note

I already tested this before I posted. I should have said UNC paths do
work here.

I have a machine which Dr.Watsons reliably when running SRVINFO.EXE
against a particular host (I haven't figured out why yet...) I changed
the key to point to an executable on a UNC path on a totally unrelated
machine with an enabled GUEST account and everyone permissions on the
share. Sure enough when I fired up SRVINFO it crashed and ran the
executable from the remote share. I was careful to make sure the share
was being accessed using guest privileges (verified in the security
log).

that it may be dependent on what user caused the debugger to fire.


    I'm not quite sure what you mean here... true I crashed the process
as administrator on the machine SRVINFO was running on, but I can't see
why this should make any difference if I was using an unpriveliged
account or an Administrator.

    If you're refering to whether it would work without a user logged in
(say a service crash at the logon screen) then you may well be right. I
haven't tested this. Does the debugger fire when no one is logged in ? I
imagine it does but I've never seen a Dr Watson at the login screen.

    At any rate an Administrator logged in at the console is definately
would be vulnerable to someone using this type of attack to elevate
privileges. It's just one more reason to not use administrator accounts
unless you really have to.

    Regards,

                Mark Dixon

Current thread:

Re: RFP9903: AeDubug vulnerabilty Mark Dixon ext3456 (Oct 05)
- Re: RFP9903: AeDubug vulnerabilty David LeBlanc (Oct 07)
- <Possible follow-ups>
- Re: RFP9903: AeDubug vulnerabilty Mark Dixon (Oct 09)
  - Re: RFP9903: AeDubug vulnerabilty Steve Coleman (Oct 12)
    - Re: RFP9903: AeDubug vulnerabilty David Zverina (Oct 14)
  - Re: RFP9903: AeDubug vulnerabilty David LeBlanc (Oct 12)
    - Re: RFP9903: AeDubug vulnerabilty Jesper M. Johansson (Oct 12)
    - Resistance is futile, or what I learned trying to secure the scanner Blue Boar (Oct 12)
    - SECURITY: RHSA-1999:040 New PAM packages available Cristian Gafton (Oct 12)